Roaming Client: Enable/Disable Protected Network feature

This article discusses how to enable/disable the roaming client protected network feature based on different network environments. This allows administrators to configure "on-network" and "off-network" policies to create different content filtering. If you do not use content filtering, this feature may not be desirable. Please confirm the prerequisites before changing this setting.

Prerequisites

The roaming client will only disable when the reporting and policy for a network will be identical to that of the client while encrypted.

Local Network

The local DNS servers must be configured to use Umbrella as the sole DNS forwarders.

The DHCP scope must be configured to hand out the IPs of the internal DNS servers.

The local network must allow direct access to either 53 or 443 UDP with a destination of 208.67.222.222.

The workstation's egress IP must match the configured local DNS server's egress IP's registered network. That is, the "originid" field in the results of the following two commands must match:

nslookup -type=txt debug.opendns.com 208.67.222.222

nslookup -type=txt debug.opendns.com [local DNS server IP]

Umbrella Dashboard

Your subscription must include network protection.

The network(s) in question must exist in the Umbrella dashboard.

The network(s) in question must exist in an Umbrella policy with a higher precedence than your desired Umbrella roaming clients.

Note: The network policy does not need to enforce content filtering or have logging configured. Security filtering will be enabled by default, but can also be disabled inside the Policy editor. The presence and placement of the policy is all that matters.

Behavioral Changes

When on a protected network, DNS will function as though they are regular network users:

Roaming users will be subject to the relevant network policy's settings.

The main difference with protected networks is the DNS will revert to what was provided by DHCP, instead of being encrypted and sent directly to Umbrella. With regular networks, you can still achieve an off-network and on-network policy by simply placing the network-based policy higher in the Policy builder.

Using internal domains should prevent any issues with accessing internal resources while on a regular network.

Both protected network and regular network policies require that a network policy is configured with a higher precedence than any Umbrella roaming client policies if you want separate off-network and on-network policies. Without this, the Umbrella roaming client policy will still take precedence over the network policy.

Solution

To enable the feature in the Umbrella dashboard:

Navigate to Identities > Roaming Computers.

Click the(Roaming client settings) icon.

Check Disable DNS redirection while on an Umbrella Protected Network and click Save.

Double check to ensure you've met all the prerequisites as mentioned earlier in this article.

Once these steps are completed, the Umbrella roaming client will receive the change in ~10 minutes. You should see this reflected in your tray icon.

Please open a support ticket if you believe it should be working, but it is not.